00aa65bb6c94d28f04933ebc90a56bf75d62ac3cd246afa1ef60d671a40ee978.zip

General
Target

00aa65bb6c94d28f04933ebc90a56bf75d62ac3cd246afa1ef60d671a40ee978.zip

Size

299KB

Sample

210924-n5z13sghb4

Score
10 /10
MD5

bead7a59737448e6ef9c0db98eb2571d

SHA1

4100c0d645d136de96da7d373e668f853700f809

SHA256

a3b44997bc49506912360e2dfbcf708a400c555efd6841246e499a83ebf12232

SHA512

98af08dd406ddd3ddfd51cd1caf43da9975f5e980a4bf16d7c0e52a693d614738da9a5154b33218584e575c6facb537b03b49b8ac6f016bf32b272cb702f1aca

Malware Config

Extracted

Family xloader
Version 2.3
Campaign chg
C2

http://www.chiaketo.com/chg/

Decoy

worldvaypg.com

cremationprosguiding.info

counterpub.com

steamed-chicken.com

bethhavencemetery.com

wanda12.com

thejdot.com

juliusbuckley.com

realloveawaitsnow.com

healthandenergyadvisors.com

stockholmfasadputs.com

uvsafetysolutions.com

mamucosmetic.com

konoozalyemen.com

grillschalen.com

zljmys.com

paradseautos.com

home360.asia

domentemenegi37.com

farazahmadosama.com

phpman.info

momenwang.com

globalstressengineers.info

syu38.com

thegiftsofmentalillness.com

bytephunk.com

boutiquedmcretreats.com

jialongvideo.com

736spadina.com

omicai.com

brandonneffdesign.com

simranmahindrakar.com

kashmirishoping.com

pinggutech.com

shangjingtang.com

sweetdesignsbykathy.com

rcengichem.com

smart-money-gal.com

ilbfoundation.com

hairstage.xyz

xn--buildenv-bdb.com

covidrecess.com

masihkecewa.com

mnt-sa.net

arcturus-realty.com

gameonaustralia.com

khanamericantools.com

grabbarquote.com

mamentos.info

zero-nezumi.com

Targets
Target

B1o.exe

MD5

5e3dc4e700d55cb8232bdbeade8ca8ad

Filesize

614KB

Score
10 /10
SHA1

8a4c46e292dafb7db736c03f784a997b6dece9aa

SHA256

00aa65bb6c94d28f04933ebc90a56bf75d62ac3cd246afa1ef60d671a40ee978

SHA512

6b1d6e010c303ea7663f33d82255eea9f0c0c2b941301788b3e811138c1f08021b922e4a63426b2f3deb00d5b36e4d2eed3ea640a7562998836b87e2bfa02cf9

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation